Encoding 101
Base64, Hex Strings, and URL (% Style) Encodings for Payload Transimission As Strings
The approach to manual source code analysis will vary depending on whether we choose to begin with the examination of sources or sinks. Data enters an application through a source, and is used (or operated on) in a sink.
In a top down approach, we would identify sources first. If we do not have authenticated access to the web application, we would obviously begin searching for vulnerabilities in unauthenticated resources. Tracing the application flows to their respective sinks, we would then attempt to identify any sensitive functionality and determine what controls are in place (such as input validation).
In a bottom up approach, we would first identify sinks. Our goal would be to determine if any sinks contain vulnerabilities and what variables or values the vulnerable code uses. We would then need to determine how the application calls the vulnerable function and trace the application flow back to a source. As with the top down approach, we need to be mindful of any filters or input sanitization that might affect the payload needed to exploit the vulnerable function.
A bottom up approach is more likely to result in higher-severity vulnerabilities with a lower likelihood of exposure. A top down approach, however, is likely to uncover lower-severity vulnerabilities with a higher likelihood of exposure. For example, vulnerabilities discovered during a bottom up approach might allow admin users to gain remote code execution. On the other hand, vulnerabilities discovered in a top down approach might allow any user to exploit cross-site scripting.
Some of the things we should be looking for during code analysis: